04-26-2020 02:01 PM
Hello,
We are working on a solution over deployment of Cisco FTD, F5 Load balancers and Nexus 9K Switches ( DC Core) with following interest:
- To control and inspect the traffic from between users and servers.
- To isolate the public facing web servers sourcing from internet. Example DMZ
- The purpose of adding FTD is to integrate with AMP Cloud. We will be deploying AMP for endpoint and servers
Current deployment
PAN-FW1 PAN-FW2
| |
| |
| |
Servers ---- TOR Switches --- 6807 ( Core Network) --- Access Layer ( users)
At the moment we have two internet boundry firewall handling ingress/egress NAT, VPN connections
So I am looking for advise validated design and suggestions where to install the new firewalls pairs, F5 and DC Core in the path as mentioned above.
I would appreciate any feedback and suggestions
I put together a fairly current
Solved! Go to Solution.
04-27-2020 03:16 PM
For internal users to DC Server that design works.
If you looking External Access to Internal you need to create a DMZ here. with diferent Context in FW.
So inernal users use 1 Context, External access used in Different Context.
Most of the time its hosting kind setup, Traffic North to south (this is your DMZ Setup)
East-West Traffic should have common transit point with Dynamic routes shoudl consider, so the traffic will not go to north and come back again, waste of bandwidth.
Look at some CVD guides of DC Design should help, again this all depends on how you build and expertise to fix things, Dynamic routing vs Static routing. Every design has pros and cons.
04-26-2020 02:11 PM
You can connect Nexus switches to your Core Switch
Core -- Nexus---FW --LB--Servers high level.
04-26-2020 02:20 PM
Thanks Balaji. I have couple of concerns here.
- In such deployment, Core would have default routes pointing to Nexus then FW will control the access to servers.
What about the internet traffic from users and servers ?
- Is this design for DMZ servers only ? or Internal Servers as well ?
Core -- Nexus---FW --LB--Servers
- Traffic originating from internet to Web servers will hit Internet Boundtry firewall and how it would traverse to DMZ servers
- I just need to know required traffic flow (direction, south-north or east-west), pattern.
04-27-2020 03:16 PM
For internal users to DC Server that design works.
If you looking External Access to Internal you need to create a DMZ here. with diferent Context in FW.
So inernal users use 1 Context, External access used in Different Context.
Most of the time its hosting kind setup, Traffic North to south (this is your DMZ Setup)
East-West Traffic should have common transit point with Dynamic routes shoudl consider, so the traffic will not go to north and come back again, waste of bandwidth.
Look at some CVD guides of DC Design should help, again this all depends on how you build and expertise to fix things, Dynamic routing vs Static routing. Every design has pros and cons.
04-28-2020 03:24 PM
Thanks
If you can provide the useful links, that would be very grateful.
04-29-2020 09:45 AM
here is some design guides for reference :
If you are not sure, i would suggest to contact local SE or cisco partner help you, so your investment will be protect with small profession costing.,
04-29-2020 11:41 AM
Thank you Balaji. Great help from best professionals
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: